Why security teams must shift from reactive into proactive mode

Amid a rising tide of cybersecurity threats, many security teams find themselves constantly reacting to what is occurring around them. This mode of working needs to change, and quickly.

The need for proactive security measures is being driven by the world’s increasing reliance on software. Everything from large corporate IT infrastructures to the family car now need code to function.

At the same time, many businesses are currently undertaking digital transformation programs to improve operations and allow them to meet customer demands more quickly. This process is likely to involve creating new digital connections with machines that collect data, share information with other machines, and make autonomous decisions based on the situation in which they find themselves.

Also, every one of these machine connections requires a machine identity to secure its communications. This is the case whether they are systems, applications, APIs, or cloud-native software.

On average, an organisation now has twice as many machine identities as it did just 24 months ago. However, IT security teams have not applied the same digital-transformation strategies used in other areas to the management of these machine identities.

Machine identity weak spots
Around the world, cybercriminals are becoming much more aware of the gaps in the machine-identity strategies used by many organisations. As a result, there has been a string of attacks taking advantage of poor machine-identity management and protection.

During the past 12 months, there have been a range of attacks leveraging machine identities. The malware dubbed Hildegard utilised SSH machine identities to attack Kubernetes clusters. The attack on SolarWinds bypassed code-signing machine identities to deploy malicious code, while the attack on MonPass’s web server used TLS/SSL machine identities to evade detection.

Cybercriminals often use machine identities to make them appear legitimate and circumvent security controls. Stolen machine identities can give a hacker privileged access to critical systems, so they can move laterally through a network and stay hidden for an extended period of time.

These attacks are also becoming more sophisticated as techniques trickle down from nation-state groups to the everyday cybercrime gangs. Unfortunately, this means that the levels of risk being faced by organisations are only going to continue to increase.

Minimising the risk of machine-identity attacks

In response to this evolving threat landscape, it is important for organisations to mitigate the risks of machine-identity attacks. If this is not done, weak machine identities will continue to let hackers gain access and cause disruption and losses.

Enterprises need to improve their practices across the three keys areas of visibility, intelligence, and automation.

  • Visibility is important to ensure all policies are enforced efficiently and there is a complete inventory of machine identities. This is important so that IT security teams can be confident they have the visibility into their network and processes in place to respond quickly should an attack take place.
  • Intelligence means having comprehensive and actionable intelligence across the entire machine-identity lifecycle. It needs to include certificate enrolment, installation, renewal, and revocation which will help enterprises protect and secure authorised, encrypted communications between machines. This level of machine-identity intelligence will enable much of the cost associated with managing certificates in a machine landscape to be avoided.
  • Automation is also important as it lowers the pressure on the security team, as well as reducing errors and mistakes that can result from oversights, such as forgetting to perform activities. Automation lets a security team orchestrate a set of rapid actions that can be focused on a single machine identity or an entire group of identities at machine speed. It also minimises the overhead of manually switching certificate authorities (CAs) and replacing vulnerable machine identities.

By focusing on these three areas, IT teams will be able to increase the security of the entire machine-identity lifecycle. This will include enforcing strong certificate security policies, streamlining and expediting remediation, validating that machine identities are properly installed and working correctly, and continuously monitoring the strength and security of certificates.

The cyberthreats faced by organisations will continue to evolve and increase in number. Taking these steps now will ensure the best possible preventative measures are in place at all times.


Brooke Crothers
Brooke Crothers is Editor, Machine Identity Management Security at Venafi